arthead - stock.adobe.com
The infosec community has a fair amount of concern over the increased use of low-code/no-code application and development methods, but that doesn't mean these same platforms can't be used to improve security, too.
To start, the security concerns have been justified -- for the most part. Most low-code/no-code platforms are hosted, so customers can't always be sure of the security practices and controls in use within the deployment environment. This is akin to the cloud service provider dilemma, where customers submit questions to CSPs about security and often receive generic attestation documents in return, if anything at all.
Additionally, low-code/no-code platforms often offer little insight into their coding and developing practices, meaning users can quickly and easily cobble together code that doesn't meet security best practices. Plus, static and dynamic code/application scanning is rarely done within any of these environments -- at least that customers know about.
This all feels new and uncomfortable, but some significant security-oriented low-code/no-code use cases are emerging with these tools and services that could change some security professionals' minds before long.
Let's look at three such use cases.
More secure code
The code produced by low-code/no-code platforms could be better than what may have been produced in-house. Security professionals need to weigh the risk scenarios here, as much depends on the maturity of the provider and its willingness to be forthcoming regarding code and security controls, as well as the skills and capabilities of the would-be developers or other stakeholders invested in creating applications.
For example, organizations with a highly mature development team and a range of security tooling to evaluate code for security flaws are better off using their in-house development practices. For some teams, however, there's a dearth of development -- and perhaps security -- knowledge and experience. These organizations might find low-code/no-code a better option.
Low-code/no-code platforms can also improve security when it comes to package and library updates. It's easy to fall behind with updates, leaving applications exposed to attacks due to vulnerable components in the code they're building with. This still necessitates investigation of the provider(s) involved, but the development platform's team could be more in tune to threats and new vulnerabilities related to packages and libraries, and update frequency may, therefore, be more consistent.
More secure platform, application testing
Another low-code/no-code security use case is the hosting environment itself. If the provider is reputable and provides sound service-level agreements and security control attestation, using it for deployments could reduce risk. As with the last use case, this depends on an organization's current deployment circumstances and security capabilities.
For nonsensitive applications that need to be quickly deployed -- and potentially by unskilled users within different business units -- low-code/no-code could serve as a viable means of deploying prototype applications to test efficacy and user interaction before moving to a longer-term model.
Security-specific use cases
Last but certainly not least, low-code/no-code applications could be built specifically for security operations and functions. Most security professionals have little to no coding experience themselves, making them like most typical users of low-code/no-code services. Today, there's a growing need for custom security scripts and functions, primarily to drive automation playbooks for response and event management, among others. Even if low-code/no-code approaches don't end up being the final code used in production security operations, they could prove useful in validating playbooks and workflows during tabletop exercises or other simulations.
As low-code/no-code matures, it's likely more APIs and integration opportunities become available, providing more palatable and flexible options for integration with other security tools and services in use.
While we should be cautious and evaluate low-code/no-code services with a skeptical eye, there are likely some fantastic use cases that benefit security professionals as well, and this is likely to grow over time.